The Information Commissioner’s Officer (ICO) ruled, on 3 July 2017, that the Royal Free NHS Foundation Trust (the Trust) had failed to comply with the Data Protection Act 1998 (DPA) when it provided 1.6 million patient details to Google DeepMind as part of a trial diagnosis and detection system for acute kidney injury, and required the Trust to sign an undertaking. The investigation brings together some of the most potent and controversial issues in data privacy today; sensitive health information and its use by the public sector to develop solutions combined with innovative technology driven by a sophisticated global digital company. This analysis provides insight on the investigation into Google DeepMind with focus on how the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) may impact the use of patient data going forward.
On September 5, the European Court of Human Rights (ECHR) issued a ruling in the case of Bărbulescu v. Romania that affirms employees’ right to privacy in the use of communications tools in the workplace. Although the ruling is strict, it aligns with the positions taken by the national courts of certain European Union Member States (e.g., Germany) and guidance issued by data protection authorities. And the criteria that the ECHR adopts for assessing the lawfulness of monitoring generally aligns with the requirements under the General Data Protection Regulation (GDPR), which takes full effect on May 25, 2018. In this post, we summarize the ruling and identify key takeaways for companies that monitor workforce use of information systems and tools in the EU. Continue Reading
The European Court of Human Rights decided on June 22, 2017 that France’s DNA database for convicted criminals disproportionately interferes with individuals’ privacy rights because of its one-size-fits-all retention period and the failure to include a procedure to request erasure. Continue Reading
The U.S. Court of Appeals for the Eighth Circuit has become the latest appellate court to enter the contested debate over Article III standing in data breach litigation. The Eighth Circuit held that 15 of 16 named plaintiffs who never alleged they had suffered identity theft or incurred fraudulent charges on their payment cards did not have standing to pursue claims based on alleged risk of future harm in the multidistrict action In re SuperValu, Inc. Customer Data Security Breach Litigation. The Eighth Circuit’s opinion comes on the heels of other decisions that found risk of future harm following a data breach sufficient to confer Article III standing on class action plaintiffs.
Hogan Lovells announced today that Edith Ramirez, the former Chairwoman of the US Federal Trade Commission (FTC), has joined the firm as a partner and will play an active role in Hogan Lovells’ Privacy and Cybersecurity practice. She will also co-head the firm’s Antitrust, Competition and Economic Regulation (ACER) practice. Continue Reading
You may not have noticed it, but despite all of the distractions caused by Brexit and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), the UK Information Commissioner’s Office (ICO) has been extremely active on the enforcement front in recent times. One of the features of this activity has been the variety of infringements targeted and, in particular, the focus on e-mail marketing. More specifically, the ICO has taken enforcement action by way of monetary penalties against well-known consumer brands such as Flybe, Honda, Morrisons and Moneysupermarket, for practices that might not have been seen as so out of order in the past. However, given the current tough stance taken by the ICO in connection with direct marketing practices, it would not be surprising to see future enforcement actions in this area.
What Companies Need to Observe When Implementing the GDPR
The German Ministry of Interior affairs has published an English translation of the new Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). On 27 April 2017 the German Parliament passed the BDSG in order to make use of the opening clause provided for in the EU General Data Protection Regulation (GDPR). This bill has been controversial; see here for an interview with Jan Albrecht, Stefan Brink and Tim Wybitul.
The new BDSG replaces its national predecessor, which has been in force for the last 40 years. The new BDSG is the first step toward adapting national German member State law to the provisions of the GDPR. With an effective date of 25 May 2018, the new BDSG will also form the basis for the adaption of further German data privacy acts to the GDPR. We note that several ministries have already indicated that they are preparing specific data privacy provisions concerning special processing situations like social security data protection, and we expect these provisions to follow the implementation of the BDSG.
This overview summarizes the major implications of the BDSG for companies operating in Germany.
The six-year fight over the type of harm a plaintiff must allege to satisfy the “injury in fact” requirement for lawsuits alleging false reporting of credit information took its latest turn this week. On Tuesday, August 15, 2017, the U.S. Court of Appeals for the Ninth Circuit, on remand from the United States Supreme Court, issued its opinion in Spokeo, Inc. v. Robins, a highly-watched case challenging whether a plaintiff can satisfy Article III standing based solely on a technical violation of the Fair Credit Reporting Act (FCRA). Plaintiff Thomas Robins brought a putative class action for willful violations of the FCRA against Spokeo, Inc., a company that generates profiles about people based on publicly available data. Among other things, Robins averred that Spokeo published an allegedly inaccurate profile about him on its website and therefore harmed his employment prospects at a time when he was out of work. The Ninth Circuit’s three-judge panel held that the publication of materially inaccurate information about Robins sufficed as concrete injury for purposes of Article III standing, even without specific allegations of tangible harm from that publication.
According to the German Federal Labor Court, Germany’s highest court for employment disputes, German employers are not allowed to monitor employees in the workplace without a concrete suspicion of a criminal violation or, in some cases, a serious breach of duty (judgment dated July 27, 2017, case ref. 2 AZR 681/16). This means that employer monitoring of an employee’s computer usage without a concrete suspicion, including the use of keylogging software that records all keyboard entries made at a desktop computer does not comply with German data privacy laws. Courts may exclude evidence obtained under violation of German data privacy laws from their proceedings. Continue Reading